Hi,
product version = 9.0.1 product type = Angular product framework type = .net core 3.1
SecurityTokenExpiredException reported in Azure
Reviewing SQL activity, the DTU utilization is low
Reviewing application insights in Azure for the web app there are frequent exceptions raised around SecurityTokenExpiredException.
Digging into the transaction detail for one example, a 12.7 delay was caused by this exception consuming /api/TokenAuth/Authenticate
Simply refreshing the login page is one example where the exception is raised. timings can vary.
Logs: Microsoft.IdentityModel.Tokens.SecurityTokenExpiredException: at Microsoft.IdentityModel.Tokens.Validators.ValidateLifetime (Microsoft.IdentityModel.Tokens, Version=5.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateLifetime (System.IdentityModel.Tokens.Jwt, Version=5.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload (System.IdentityModel.Tokens.Jwt, Version=5.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken (System.IdentityModel.Tokens.Jwt, Version=5.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35) at SSD.Web.Authentication.JwtBearer.SSDJwtSecurityTokenHandler.ValidateToken (SSD.Web.Core, Version=9.0.1.0, Culture=neutral, PublicKeyToken=null: D:\a\1\s\SSD\aspnet-core\src\SSD.Web.Core\Authentication\JwtBearer\SSDJwtSecurityTokenHandler.cs:42) at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler+<HandleAuthenticateAsync>d__6.MoveNext (Microsoft.AspNetCore.Authentication.JwtBearer, Version=3.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60)
Thanks
14 Answer(s)
-
0
Hi @shedspotter
That error is thrown by System.IdentityModel.Tokens.Jwt.ValidateToken method, (see:https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler.validatetoken?view=azure-dotnet). Refreshing your browser should not cause the error. Can you please check these:
- Check if your token lifetime is long enough.(https://github.com/aspnetzero/aspnet-zero-core/blob/2269967cc03e5c460e2d6c0833cb97feaa5d1fad/aspnet-core/src/MyCompanyName.AbpZeroTemplate.Application.Shared/AppConsts.cs#L49)
- Check if your current token is really expired? (you can use https://jwt.io/)
- Check if your current token exists, if it exists store it. Then refresh your browser and check if they are equal.
-
0
Hi musa.demir,
Thank you for the response
step 1. it is same like shared link. step 2. the current token is not expired. step 3. after following the 3rd step the previous token and the new token after refreshing the browser has same expiration time
Thanks
-
0
Hi @shedspotter
Can you please share your token's
exp
field and the exact time you get the error(with timezone)? It might has timezone problem. -
0
Hi @musa.demir
Token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1laWRlbnRpZmllciI6Ijk0IiwiaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvbmFtZSI6ImNzaGFoIiwiQXNwTmV0LklkZW50aXR5LlNlY3VyaXR5U3RhbXAiOiJXR0wyWEg1RFg1Sk9aWEFMU0FUM1Y0V1BUUURDSVJKRSIsImh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd3MvMjAwOC8wNi9pZGVudGl0eS9jbGFpbXMvcm9sZSI6IkFkbWluIiwiaHR0cDovL3d3dy5hc3BuZXRib2lsZXJwbGF0ZS5jb20vaWRlbnRpdHkvY2xhaW1zL3RlbmFudElkIjoiMTAyIiwiaHR0cDovL3d3dy5hc3BuZXRib2lsZXJwbGF0ZS5jb20vaWRlbnRpdHkvY2xhaW1zL2ltcGVyc29uYXRvclVzZXJJZCI6IjEiLCJzdWIiOiI5NCIsImp0aSI6ImM1OTRmZDA1LWYyMTUtNDhhYy05ODYyLWVkZWE2ZjFlMzdjMSIsImlhdCI6MTYzNTMxMDkzNiwidG9rZW5fdmFsaWRpdHlfa2V5IjoiZmNjY2ZhNDktNWRjMi00ODYwLWE0OGQtMDdkY2I3YjUzNDBiIiwidXNlcl9pZGVudGlmaWVyIjoiOTRAMTAyIiwidG9rZW5fdHlwZSI6IjAiLCJuYmYiOjE2MzUzMTA5MzYsImV4cCI6MTYzNTM5NzMzNiwiaXNzIjoiU1NEIiwiYXVkIjoiU1NEIn0.M4VujdjiMq4QBVJ3EU2e_FtVdPwQNm1-ncqhdiRJcBc
-
0
Hi @shedspotter
Did you get the same error with this token ? If so, could you share the exact time you get the error(with timezone)?
Thanks,
-
0
-
0
Hi @shedspotter
Can you reproduce the problem ? If so, could you share your website URL and a test user account credentials with [email protected] ? If we can reproduce the problem, we can understand the real cause.
-
0
Hi,
I'm also getting a lot of SecurityTokenExpiredException exceptions.
We are having these exeptions with all tenants in the same timezone.
These exceptions are happening mainly with following endpoints :
- POST /api/TokenAuth/Authenticate
- POST /signalr/negociate
SecurityTokenExpiredException is sometimes followed by SecurityTokenInvalidSignatureException.
Our app is having performance issues and we are tracking these exceptions on AppInsights.
I don't know how to reproduce this and help you guys to find the issue...
Please, tell me how can I help finding this issue ?
-
0
Hi @ricavir
Could you add a log to TokenAuth/Authenticate method to log the
token
andDateTime.UtcNow
? Then, share it with us for a request with this error ?Could oyu also share which version of AspNet Zero do you use ?
-
0
Hi @ismcagdas,
I'm using Abp 6.4. I can add a log as you requested and come back to you after.
While analysing this issue on my code, I found that CreateJwtClaims method uses CacheManager... And I just figured out that I'm having issues with CacheManager when my Azure AppService is running on multiple instance. For example, when running with 2 instances, I'm not able to switch user to different tenant accounts (like this https://support.aspnetzero.com/QA/Questions/9502/Switching-tenant-fails-in-mutiple-docker-container-instances-setup)
Therefore, I'm wondering if all these issue are coming from cache management ? (Should I use Redis ?) What do you think ?
-
0
Hi @ismcagdas,
Any news about my previous question for CacheManager ?
-
0
Hi @ricavir
Sorry, I just saw your question. If you are using more than one instance of your app, it is suggested to use Redis or a similar central cache system. Otherwise, each instance will keep its own memyr cache and there will be problems.
-
0
Hi @ismcagdas,
Tks for your answer, I will implement redis then.
-
0
Thanks @ricavir
@shedspotter did you make any progress on this ?